Previous Topic: Comparing Federation and Web Access Management for Single Sign-onNext Topic: Federated Transaction Process Flows


Federation Web Services

Federation Web Services Overview

The Federation Web Services (FWS) application is installed with the Web Agent Option Pack on a server that has a connection to a Policy Server. The Federation Web Services and the Web Agent support the following web browser single sign-on profiles. These profiles convey information from one site to another through a standard browser.

The supported profiles are:

SAML 1.x Artifact and POST Profiles

For the SAML 1.x artifact and POST profiles, the Federation Web Services application uses the following services:

Assertion Retrieval Service (SAML 1.x Artifact only)

A producer-side component. This service handles a SAML request for the assertion that corresponds to a SAML artifact by retrieving the assertion from the CA SiteMinder® session store. The SAML specification defines the assertion retrieval request and response behavior.

Note: Only the SAML artifact profile uses the assertion retrieval service..

SAML Credential Collector (SAML 1.x)

A consumer-side component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The credential collector issues CA SiteMinder® cookies to a browser of the user.

Intersite Transfer Service (SAML 1.x)

A producer-side component for the SAML POST profile. The intersite transfer service transfers a user from the producer site to a consumer site. For the SAML artifact profile, the Web Agent performs the same function as the intersite transfer service.

SAML 2.0 Artifact and POST Profiles

For SAML 2.0 artifact and POST profiles, the Federation Web Services application uses the following services:

Artifact Resolution Service (SAML 2.0 Artifact only)

An Identity Provider-side service that corresponds to the SAML 2.0 authentication using the HTTP-artifact binding. This service retrieves the assertion stored in the CA SiteMinder® session store at the Identity Provider.

Note: Only the HTTP-artifact binding uses the artifact resolution service.

Assertion Consumer Service (SAML 2.0)

A Service Provider component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The Assertion Consumer Service issues CA SiteMinder® cookies to a browser.

Note: The Assertion Consumer Service accepts an AuthnRequest with an AssertionConsumerServiceIndex value of 0. All other values for this setting are denied.

AuthnRequest Service (SAML 2.0)

This service is deployed for use by SAML 2.0. A Service Provider can generate an <AuthnRequest> message to authenticate a user for cross-domain single sign-on. This message contains information that enables the Federation Web Services application to redirect the browser to the single sign-on service at the Identity Provider. The AuthnRequest service is used for POST and Artifact single sign-on.

Single Sign-on Service (SAML 2.0)

The single sign-on service enables an Identity Provider to process AuthnRequest messages. The service also invokes the assertion generator to create an assertion that is sent to the Service Provider.

Single Logout Service (SAML 2.0)

This service implements processing of single logout functionality, which an Identity Provider or a Service Provider can initiate.

Identity Provider Discovery Service (SAML 2.0)

Implements SAML 2.0 Identity Provider Discovery Profile and sets and retrieves the common domain cookie. An IdP requests to set the common domain cookie after authenticating a principal. An SP requests to obtain the common domain cookie to discover which Identity Provider a principal is using.

WS-Federation Profile

For the WS-Federation profile, the Federation Web Services application uses the following services:

Security Token Consumer Service

A Resource Partner component that receives a security token and extracts the corresponding SAML assertion. The Security Token Consumer Service issues cookies to a browser.

Single Sign-on Service

Enables an Identity Provider to process a sign-on message and gather the necessary Resource Partner information to authenticate the user. This service also invokes the assertion generator to create an assertion that is sent to the Resource Partner.

Sign-out Service

Implements processing of a single sign-out transaction by way of a sign-out servlet. An Identity Provider or a Resource Partner can initiate sign-out.